Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tor Blacklisting Exit Nodes Vulnerable To Heartbleed

timothy posted about 3 months ago | from the all-tor-up dept.

Encryption 56

msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 nodes vulnerable to Heartbleed where he was able to retrieve plaintext user traffic. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear."

cancel ×

56 comments

Sorry! There are no comments related to the filter you selected.

So much for Net Neutrality. (0)

Anonymous Coward | about 3 months ago | (#46780113)

You know it's bad when Tor starts blacklisting people. God help us if Edward Snowden had been trying to use a site that was vulnerable to Heartbleed.

Re:So much for Net Neutrality. (1)

The123king (2395060) | about 3 months ago | (#46780143)

He probably was/did

Re:So much for Net Neutrality. (-1)

Anonymous Coward | about 3 months ago | (#46780179)

It wouldn't matter if he was. Snowden hand delivered his stolen documents. And now Russian and China almost certainly have them. It will cost billions to fix for the US and the taxpayers will foot the bill. The UK and Australia are looking at some big bills too more than likely. Even Canada is caught in Snowden's web.

It sucks unless you are Russia, China, or a terrorist.

Re:So much for Net Neutrality. (3, Insightful)

TechyImmigrant (175943) | about 3 months ago | (#46780195)

>It will cost billions to fix for the US and the taxpayers will foot the bill.

I haven't noticed the sky fall in yet. Maybe that information didn't need to be secret.

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46780359)

So you are saying your ignorance of the evidence convinces you of your position?

Apparently you aren't familiar with termites.

And even better, you apparently don't seem to have the imagination to see how knowledge of where and how surveillance systems operate could allow you to avoid them or mitigate against them? And you claim to be a system architect?

Russia has just admitted that it really did move members of its armed forces into Crimea prior to the annexation. How do you think they managed that without people catching on?

Re:So much for Net Neutrality. (1)

oodaloop (1229816) | about 3 months ago | (#46780565)

Russia has just admitted that it really did move members of its armed forces into Crimea prior to the annexation. How do you think they managed that without people catching on?

Maybe old school subterfuge? Or are you arguing we need mass warrantless surveillance of American citizens in order to track Russain military units overseas?

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46780623)

Maybe you haven't noticed that Snowden leaked a LOT more material than just that. And that is assuming that the Russians don't have everything he had.

Re:So much for Net Neutrality. (1)

TechyImmigrant (175943) | about 3 months ago | (#46781089)

And yet you haven't shown a single detrimental results from the Snowden leaks. Not one, unless you count the forced travel plans of Mr Snowden.

Re:So much for Net Neutrality. (0)

cold fjord (826450) | about 3 months ago | (#46781199)

I guess you don't count the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks as detrimental. You'll be helping to pay for that since you live in the US. No doubt GCHQ will be paying some bills as well.

There has certainly been other fallout from that, but apparently we can count on you to never go looking for it.

Re:So much for Net Neutrality. (3, Insightful)

TechyImmigrant (175943) | about 3 months ago | (#46781323)

> the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks

They are choosing to spend the money, but they haven't demonstrated the damage.

I see many benefits. The security community and users have a better understanding of the risk landscape and have been changing their behavior as a result.

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46788159)

The only reason that they have the money to spend is because they made a case to Congress, demonstrated the damage, and had their appropriation increased to recover from the damage. They don't get to spend whatever money they want to "just because."

The "many benefits" you see are only the places you look in your narrow view. You aren't looking anywhere near the national security landscape, only the "security landscape" comprised of internet programmers and activists. You avert your eyes from the real damage and see what you choose to. Your view is uninformed and stunted.

Re:So much for Net Neutrality. (0)

Anonymous Coward | about 3 months ago | (#46788249)

There is always money to spend, it's just easier when a 'crisis' comes along and you have friends already in place to soak up all the extra money being thrown around.

Re:So much for Net Neutrality. (0)

Anonymous Coward | about 3 months ago | (#46788451)

Not in the amounts we're talking about, no.

Re:So much for Net Neutrality. (1)

TechyImmigrant (175943) | about 3 months ago | (#46788359)

Come back and say "I told you so" when we get invaded by an aggressor nation empowered to do so by the Snowden leaks.

Until then, all you are arguing is that embarrassment of the government constitutes damage to national security. That is purest, top quality bullshit.

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46788619)

Oh, I see, the only thing that counts is the gravest possible outcome that is also by far the least likely. Lesser outcomes that might kill people by the hundreds, thousand, or tens of thousands don't count? Outcomes that we could not influence that damage friends or allies due to being blinded don't count? Being put at a serious disadvantage to foreign adversaries doesn't count? It's just fine with you that Russia or China seizes territory from whatever other country they care to, and which but for proper warning might have been avoided? Iran getting nuclear weapons to put on top of the missiles they already have that are capable of reaching Europe doesn't count (despite Iranian threats against Europe)? A jihadi from Manchester returning from Syria, evading MI5 and leaving a "little something" in the tube in London doesn't count?

Yes, there is some highly purified BS being peddled here, and you're supplying it. The damage isn't "embarrassment" but rather blinded, now useless intelligence systems, and blueprints to infrastructure and practices to adversaries and enemies that they can exploit for their purposes, including avoiding detection. You don't know what you are talking about.

Re:So much for Net Neutrality. (1)

TechyImmigrant (175943) | about 3 months ago | (#46788769)

You know how to push the fear with non specific threats and enemies. Do you do this professionally?

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46788951)

No, I don't. It wouldn't help if I did. Few people here are up to serious if casual fact based discussions on the matter let alone professional level ones. Fear isn't needed, only an open mind, rational thinking, and knowledge. Many of the threats are already known to various levels but people choose to ignore or disparage them because it suits their purposes, or they aren't up to a serious discussion.

Re:So much for Net Neutrality. (1)

TechyImmigrant (175943) | about 3 months ago | (#46789669)

So name these threats with specificity and explain how the Snowden leaks enabled these threats.

Re:So much for Net Neutrality. (3, Insightful)

drkstr1 (2072368) | about 3 months ago | (#46781365)

I guess you don't count the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks as detrimental. You'll be helping to pay for that since you live in the US. No doubt GCHQ will be paying some bills as well.

There has certainly been other fallout from that, but apparently we can count on you to never go looking for it.

Wait, that argument isn't logical. What is the government spending billions of dollars trying to repair some of the damage if there are no detrimental affects from the leaks (which you confirmed in your rebuttal)? Sounds to me like they are spending billions of dollars covering up the mess they themselves created. Maybe they should just stop doing that. Problem solved.

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46788211)

Your post is a tribute to misunderstanding (or trolling?) and bad moderation. There are detrimental effects from Snowden's leaks. I don't know how you think I said there wasn't.* It is entirely logical that they are spending money to repair the damage caused Snowden's leaks. The mess was caused by Snowden, and you are paying for the clean up. The US will be vulnerable for years or decades to come.

* Well, maybe I do know how you managed to achieve such a "misunderstanding" based on your sig: Fanboy .... Ron Paul.

Re:So much for Net Neutrality. (0)

Anonymous Coward | about 3 months ago | (#46781677)

US Federal government is spending billions of dollars

You say that as if the federal government needed an excuse to spend billions of dollars.

Go away and die in a fire, cointelpro operator.

Re:So much for Net Neutrality. (0)

Anonymous Coward | about 3 months ago | (#46781887)

Get lost you useless prick.

Re:So much for Net Neutrality. (1)

oodaloop (1229816) | about 3 months ago | (#46783397)

Of course. Let us not forget NSA lying to congress, engaging in corporate espionage, subverting crypto standards, spying on Senators, spying on foreign leaders, and monitoring and managing online discussions on technology websites like Slashdot. But I don't see how any of that would help us track conventional military units overseas.

Re:So much for Net Neutrality. (0)

Anonymous Coward | about 3 months ago | (#46781307)

=> Russia has just admitted that it really did move members of its armed forces into Crimea prior to the annexation. How do you think they managed that without
=> people catching on?

Um, just who didn't catch on? The Ukranians knew those burly fellows in identical very-close-to-uniforms outfits and carrying all that gear weren't all locals, as did anyone else with any hint of knowledge of history in the region for, say, the past 100 years.

Re:So much for Net Neutrality. (1)

CRCulver (715279) | about 3 months ago | (#46781991)

Russia has just admitted that it really did move members of its armed forces into Crimea prior to the annexation. How do you think they managed that without people catching on?

Could you cite this please? It was my understanding that the "little green men" were simply Russian servicemen already stationed there because the peninsula has long served mainly as a large military installation that Russia leased from Ukraine. These servicemen just put on new uniforms without insignia and drove off their bases to seize the surrounding area. I'd be interested in any publication you might point to that claimed that the "little green men" were secretly moved there from Russia proper. (And even if they were, considering the normal flow of personnel between Russia and Russia's base on the peninsula, it probably could have been kept low-key regardless of the actions of a Snowden.)

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46786735)

It was my understanding that the "little green men" were simply Russian servicemen already stationed there ...

Putin admits Crimea involvement [cnbc.com]

No, as far as I know the only Russian ground combat forces stationed in Crimea prior tot he crisis were a regiment of marines, only about 2,000 men. The Russians moved in attack helicopters, airborne infantry, spetsnaz commando units, and possibly others.

Re:So much for Net Neutrality. (0, Redundant)

Anonymous Coward | about 3 months ago | (#46780269)

...It sucks unless you are Russia, China, or a terrorist.

Or, unless you want to know the truth about how your government is spying on you. Oh, and how they trade your personal info regarding your finances, health, etc. with their friends. That sucks, too.

Re:So much for Net Neutrality. (4, Informative)

treebeard77 (68658) | about 3 months ago | (#46780319)

Russia & China got nothing from Snowden. His material is being carefully vetted by journalists and experts before any is released. Snowden, rightly, chose others to decide what was safe to be released and how/what to redact parts. Bruce Schneier is one helping them in their analysis. 6 members of congress had Schneier brief them on some of the material because the NSA wouldn't answer their questions.

Re:So much for Net Neutrality. (1)

TheCarp (96830) | about 3 months ago | (#46780459)

> Russia & China got nothing from Snowden.

Do belly-laughs count? I bet they got a number of those.

> His material is being carefully vetted by journalists and experts before any is released

Of course, since russia, china, and several others players all have their own NSA and CIA-like entities, I would assume they have made attempts, and probably been successful by now, at obtaining the entire archive... or at least, what they didn't already have of it from their own operations pre-snowden.

With Manning, I would easily make the case that nothing was revealed, because any intelligence service that couldn't get their hands on those state department cables would have to be totally incompetent and barely even trying. NSA internal docs, a bit less likely... but I wouldn't doubt they had some of it.

Now, I don't doubt that they have all of it....oh well.... its their own fault for abusing their technical abilities, NSA brought this leak upon itself.

> Bruce Schneier is one helping them in their analysis.

This is one of the few reasons to suspect they have a chance of having not been compromised; if they follow his advice of course. Discipline is hard. I remember some of the security experts expressing being quite impressed by OBLs ability to maintain an effective air gap for so many years while so prolifically using email.

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46780537)

Russia & China got nothing from Snowden.

That is absolute bullshit on the face of it. As a minimum they have what is being published in every newspaper around the world, which isn't trivial, especially since they often pursue independent lines of stories. You wouldn't try to deny that would you? And that is assuming that they either don't have a source inside the papers that is a volunteer, a plant, or bought for a few million dollars. Who is vetting the people in the newspapers? I'm pretty sure they don't have Top Secret clearances. That also assumes that the Russians, Chinese, or the intelligence agencies of other nations haven't simply engaged in a break-in to steal the information. And that is all before you even get to the question of Snowden being disgruntled long before he stole the information and the possibility that he was actively working with the Russians or Chinese. Snowden was apparently lying for years before he stole that information, and his contacts with the Russians and Chinese in Hong Kong leave many questions. It was no surprise to the Russians when Snowden landed in Russia. Snowden or his handlers is engaged in a minor magic act, a little misdirection, a few documents pulled out of the hat with the right banter, and everyone in the audience is a true believer. He did make that rabbit appear from nowhere! He really is a true magician! He really did do it for us!

Meanwhile, today in Russia, Snowden asked Putin on TV:
Snowden: Do you spy like the US?
Putin: Of course not! That isn't legal in Russia. And we don't have the means of the rich West. And it is all tightly controlled by the government and courts.

There is a sucker born every minute.

Re:So much for Net Neutrality. (0)

Anonymous Coward | about 3 months ago | (#46781011)

Russia & China got nothing from Snowden.

That is absolute bullshit on the face of it.

No it isn't. Standard information theory: if you already know something, you don't gain anything by somebody telling it to you. Russia and China have their own excellent intelligence services, do you really expect us to believe they didn't already know what has been leaked to the public?

At best they got confirmation of what they'd alread learned -- although the sufficiently paranoid in their intelligence services would wonder if the whole Snowden thing was merely to reinforce the misinformation they'd already gathered.

Re:So much for Net Neutrality. (1)

cold fjord (826450) | about 3 months ago | (#46781135)

Unfortunately for your argument the intelligence business does not operate according to the prescriptions of technical information theory. Secondary and alternate sources of information are important as part of judging the reliability of other sources, adding context, and evaluating it. Those sorts of considerations don't really apply in trying to move bits from here to there, do they? You also seem to be committing the common fallacy of assuming that the Russians and Chinese already knew everything that Snowden took before he stole it without any proof of that, and probably because it whitewashes Snowden's crime.

Re:So much for Net Neutrality. (0)

Anonymous Coward | about 3 months ago | (#46785141)

Or you could spin it the other way and say now that the US knows that Russia and China have the Snowden information they will be more careful in the future. And all the other 'Snowdens' working secretly and giving Russia and China all the information up until now will no longer work. Seems like a huge advantage for the US right there, and all future leakers will have a much harder time disadvantaging Russia and China. All praise Snowden for plugging the leaks and helping out uncle sam.

Re: good company (0)

Anonymous Coward | about 3 months ago | (#46780347)

"It sucks unless you are Russia, China, or a terrorist."

I also think the leaks are great for improving accountability and protecting privacy. Glad to join the ranks of Russia, China, and all terrorists everywhere in this regard!

Re: good company (0)

Anonymous Coward | about 3 months ago | (#46780811)

It's all good fun until your country gets occupied, territory taken from it, or nuked. Hilarious! (You don't live in Ukraine, do you?)

The leaks will help to protect the privacy of Chinese, Russian, and Iranian spies, and terrorists. Yours, not so much.

There is at least a chance you're a fool.

Re:So much for Net Neutrality. (3, Insightful)

TheCarp (96830) | about 3 months ago | (#46781955)

> It will cost billions to fix for the US and the taxpayers will foot the bill.

It already cost us billions, and it was always going to cost us billions more. Any suggestion they were not going to waste that money anyway is just laughable. They will spend as much as they can justify in their crusade against whatever bogeymen they can dream up.

Don't people encrypt over TOR anyway? (1)

Anonymous Coward | about 3 months ago | (#46780173)

I'm under the impression the higher-end folks are encrypting their traffic before the routing layer and anyone else is an idiot, is that about right?

Re:Don't people encrypt over TOR anyway? (1)

Anonymous Coward | about 3 months ago | (#46780255)

people using it for privacy/secret stuff = yes.

people using it simply as a proxy to avoid censorship = maybe not

Re:Don't people encrypt over TOR anyway? (2)

cryptizard (2629853) | about 3 months ago | (#46780423)

That's not really the point though, since you can always encrypt traffic using TLS. The point of Tor is to hide the end point you are communicating with from someone who controls the network that your computer is on, like a decentralized VPN. You could always gather traffic on both ends (client side and end point/exit node, called an intersection attack), but it is very unlikely that one party will have control of two separate networks like that. With this attack, you don't actually need control of the other end since you can just query the exit nodes directly and they will leak traffic information to you.

Re:Don't people encrypt over TOR anyway? (0)

Anonymous Coward | about 3 months ago | (#46780641)

" and they will leak traffic information to you. " - yes, but not enough specific information to determine the endpoint with only 64k leaked, because it's encrypted. Like another poster said all you can really hope to get lucky and score is METADATA on the TOR channels going through that node, maybe some cleartext associated - but if it's encrypted even with just TLS, you're not really losing much from heartbleed attack.

My point was anyone not using encryption over TOR has their stuff blowing in the wind REGARDLESS of heartbleed.

Re:Don't people encrypt over TOR anyway? (1)

allo (1728082) | about 3 months ago | (#46782241)

when the private key of your node is stolen, you cannot provide anonymity anymore. everyone will see, where the packet you are getting will be routed, because the client decides the nodes, not the network.

Re:Don't people encrypt over TOR anyway? (0)

Anonymous Coward | about 3 months ago | (#46780429)

Yes and no. If you connect to a Tor ("hidden service") site, then the information transmitted is encrypted end-to-end.
If you connect to a standard website over Tor, then the final hop will need to decrypt the information in order to communicate with the target webserver over a normal HTTP(S) connection. It is that final node that could leak information.

The only thing that may be leaked in addition... (5, Informative)

ControlFreal (661231) | about 3 months ago | (#46780217)

... to what Tor already leaks, is the previous hop from which the exit traffic came, and possibly meta data on other tunnels relayed by (but not terminated at) the node. If the relayed connection is SSL/TLS encrypted, that encryption is end-to-end from the original client to the server; sniffing some exit-node memory does not help you there. If the related connection is in the plain, then, well, then sniffing the exit node's memory does not tell you any more than you already knew by looking at its plain-text traffic.

Now, Heartbleed is not completely harmless here: You may, if you're very lucky, be able to sniff the previous node name, but as Tor tunnels are longer than that, that does not help you much. Plus, tunnels endpoints tend to change every couple of minutes, making the cross section even smaller. Also, you may now be in a position to sniff data from nodes whose ISP network you do not control, allowing you to do network-wide attacks. That may in fact be the biggest problem.

Re:The only thing that may be leaked in addition.. (4, Informative)

cryptizard (2629853) | about 3 months ago | (#46780383)

The point is that, if you know the IP address of the exit node, you can use the heartbleed bug to examine it's outgoing traffic even if you don't have control of the network the exit node is on. This makes intersection attacks much easier because you only need to have data from one end. If I control a network where I see some Tor users, all I have to do is use this exploit on exit nodes until I see outgoing traffic that matches the traffic I see on my own network. I can then link that data to clients on my network and Tor is defeated. This attack is always possible if you control both the client's network and the end point they are communicating with (or some piece of the network between the exit node and the end point), but with this attack you don't need to actually control any part of the network on the exit side because you can just query the exit nodes directly and they will tell you themselves.

Run an exit node. (0)

Anonymous Coward | about 3 months ago | (#46784673)

Attack is as effective as running an exit node. Wow, so dangerous.

Collin Mulliner (0)

Anonymous Coward | about 3 months ago | (#46780743)

So, when is this guy going to be charged for hacking under US terrorism laws?

Better yet (1)

Arancaytar (966377) | about 3 months ago | (#46781047)

It'd be neat if tor exit nodes enforced a complete no-plaintext policy (and the tor network, in turn, blacklisted exit nodes that didn't do this). Any plain http connection you try to tunnel through tor should be blocked as soon as it reaches the exit node, just as a precaution.

Re:Better yet (1)

cryptizard (2629853) | about 3 months ago | (#46781149)

What does that have to do with anything? You could still learn the destination address, which is what Tor is trying to hide.

Re:Better yet (0)

Anonymous Coward | about 3 months ago | (#46781261)

That's a big maybe.

Re:Better yet (0)

Anonymous Coward | about 3 months ago | (#46781305)

There are a lot of websites that dont implement ssl.

What we should do instead is have browsers not freak out if they are using an unsigned cert. Instead show them as having no encryption. This way people at least need to do an active man in the middle attack. This will require cooperation from all large browser manufacturers, so it most likely wont happen.

Then someone big (google and bing) require everyone to have ssl on their sites if they want to get their content indexed. Boom, over the course of a week everyone who doesn't have certs gets self signed certs.

poor NSA (0)

Anonymous Coward | about 3 months ago | (#46781241)

I feel a great disturbance in the force, as if millions of NSA agents cried out in terror

More attacks on Tor by the Republicans (1)

Anonymous Coward | about 3 months ago | (#46781345)

As they keep taking more and more nodes down with these policy changes, Tor becomes even slower and less reliable. These continued attacks will destroy Tor if we allow them to continue. We should fight against this attempt to shut-down nodes.

Re:More attacks on Tor by the Republicans (0)

Anonymous Coward | about 3 months ago | (#46781517)

Seriously now? "Don't let the network that aims to anonymize traffic drop the nodes that leak private, potentially useful for identification, data!"

JTRIG agent #3451, you forgot to login.

Re:More attacks on Tor by the Republicans (0)

Anonymous Coward | about 3 months ago | (#46783053)

No, they're trying to destroy it. Remember Stevenson's rant against Tor? It was insane. Those people are crazy, and they hate us.

TOR gets abused by trolls & such (0)

Anonymous Coward | about 3 months ago | (#46785685)

The only thing I have against TOR or any anonymizing proxy, is that 90% of the time, they definitely being abused (not used even), for doing bad things like trolling/harassing others, or worse.

APK

P.S.=> Let's be honest here - you know it. I KNOW it, & anybody else reading here does too (it's as badly abused as sockpuppetry is here & on say, arstechnica)... apk

Addendum to what else sucks about TOR (0)

Anonymous Coward | about 3 months ago | (#46785701)

It's also slow as shit. Like any allegedly anonymous proxy. This includes exit nodes as well. The whole shebang, & it's not even secure (apparently, never really was) & many of these things are inflitrated by the (enter lettered agency there) most likely too is my guess. So why have "all that" (lol, not) & go SLOWER too?

Makes no sense. It sounds useless now.

APK

P.S.=> Sorry, that's my take on those, in addition to earlier about how TOR gets abused by trolls and freaks to do henous reprehensible things... apk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>